BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
If you only read one thing: Germany’s BKA says it has identified two REvil figures, sharpening the law-enforcement record on a ransomware crew tied to 130 attacks.
As of April 7, 2026: As of April 7, 2026, the BKA announcement is the latest public law-enforcement development in this REvil case.
Executive summary
The BKA says it has identified two REvil-linked figures connected to 130 ransomware attacks in Germany. That claim comes from a law-enforcement probe, not a court verdict. The identification is the verified headline. The legal outcome is still separate.
The reporting, first summarized by The Hacker News, points to a long-running investigation into REvil, also known as Sodinokibi. REvil is defunct as an active brand. That does not make the case irrelevant.
The infrastructure, tactics, and affiliate model it used still shape current ransomware operations. That is the part defenders should watch.
Here is the distinction that matters. The BKA’s identification helps attribute past attacks and may support future charges or cross-border cooperation. It does not remove the risk from organizations that were hit, or from those that still have weak remote access, exposed backups, or poor recovery testing.
Why does a dead gang still matter? Because ransomware is an ecosystem, not a single crew. People move. Tools move. Data theft, extortion, and reuse of old access paths keep paying off long after a banner name disappears.
| Item | What is verified | What remains open |
|---|---|---|
| BKA identification | Two REvil-linked figures named | Any court finding |
| Attack scope | 130 ransomware incidents in Germany | Full recovery status for victims |
| Operational risk | REvil is no longer active as a brand | Reuse of its methods by others |
Security teams should read this as an attribution update, not a closure notice. IT operations should treat it as a reminder to test restores, lock down remote services, and review incident logs for old persistence. Any organization that still carries ransomware exposure should assume the same playbook can return under a different name.
Europol’s ransomware guidance and NIST’s ransomware overview both stress the same basics: reduce attack surface, keep offline backups, and rehearse recovery. Those controls are dull. They also work. Last reviewed: April 7, 2026 ransomware response checklist incident response plan backup testing guide MFA hardening basics
Timeline and verified facts
The timeline starts in June 2019. That is when REvil appeared on the XSS cybercrime forum, using the alias UNKN to advertise its ransomware operation.
That forum post matters because it marks the group’s public entry point. From there, REvil grew into a ransomware-as-a-service operation, or RaaS. Core operators built and maintained the malware while affiliates carried out intrusions and extortion.
REvil is also known as Sodinokibi. The name changed over time, but the operating model stayed familiar: access brokers, initial compromise, encryption, and pressure on victims through stolen data.
By the time German investigators linked the group to their current probe, REvil was already a known criminal brand. The BKA’s present claim is narrower and more specific. It says it has identified two figures tied to the group, including the person using UNKN as an alias.
What is verified? The group surfaced in June 2019, ran as a RaaS crew, and is now defunct. What remains uncertain? Public reporting does not turn the BKA’s identification claim into a final court finding. That distinction still matters.
| Stage | What is established | What is not settled |
|---|---|---|
| June 2019 | REvil appears on XSS | Full internal structure |
| 2019 onward | Ransomware-as-a-service model | All affiliate relationships |
| Current BKA claim | Two figures identified, including UNKN | Any final judicial outcome |
The group’s defunct status is well established. That does not erase the record of attacks attributed to it. It does not answer every attribution question either.
It only means the brand no longer operates in public as a live ransomware service.
For the chronology, the sequence is simple. June 2019. RaaS expansion. Later law-enforcement identification. Anything beyond that should be labeled carefully unless a court record or official filing confirms it.
For the source trail, the BKA’s statement is the key primary reference: BKA identifies REvil leaders behind 130 German ransomware attacks. The broader technical framing also aligns with the ransomware-as-a-service model described in RFC 9116, which standardizes security contact reporting, not ransomware itself, but reflects the wider incident-response environment.
Last reviewed: April 7, 2026
Technical angle: how REvil’s model scaled damage
REvil did not need every attacker to be a coder. That was the point. The group ran a ransomware-as-a-service model, or RaaS, where core operators built the malware, payment portals, and leak sites, then affiliates did the break-ins and deployment.
That split changed the scale. One crew could infect many victims at once because the affiliate network handled the messy part of access. The operators kept control of the software, the rules for payment, and the public pressure campaign that followed.
- Ransomware-as-a-service (RaaS)
- A criminal subscription model. The developer supplies the ransomware and infrastructure, while affiliates carry out intrusions and split the proceeds.
- Initial access
- The first foothold inside a network. It often comes from stolen passwords, exposed remote services, phishing, or a compromised vendor account.
- Credential theft
- Stealing usernames, passwords, session tokens, or browser cookies. Once attackers have valid credentials, they can look like normal users.
- Exfiltration
- Copying data out of the victim network before encryption. That gives attackers leverage for double extortion.
The attack chain usually started before encryption. Affiliates needed initial access, then they moved laterally, meaning they shifted from one internal system to another. Remote access tools helped here. So did stolen administrator credentials. A compromised VPN, virtual private network, or remote desktop gateway could give them a clean path into the network.
Once inside, they mapped the environment. They looked for file servers, backup servers, and domain controllers. Why target backups first? Because recovery slows down when the clean copies disappear. If the victim cannot restore data quickly, the ransom pressure rises.
The encryption step was only part of the damage. REvil-style crews often copied data before locking files, then threatened to publish it if payment did not arrive. That is double extortion. It turns an availability problem into a confidentiality problem too.
Transport details matter here. Attackers need a way to move tools, credentials, and stolen data across the network and out of it. In many intrusions, that traffic rides over common protocols such as SMB, Server Message Block, for file sharing, or over HTTPS, Hypertext Transfer Protocol Secure, to blend in with normal web traffic. The protocol is ordinary. The use is not.
The BKA’s identification work still matters even after the brand fades. Attribution can expose the human network behind an operation, connect old intrusions to shared infrastructure, and help analysts link aliases across cases. It also improves future detection. If investigators know which operators favored certain access brokers, forums, or deployment patterns, they can trace related activity faster.
In our assessment, that is the lasting technical value of cases like this. The gang may be defunct. The tradecraft is not. And the record can still support incident response, especially when teams need to compare logs, backup events, and remote-access traces against known REvil behavior.
For response teams, RFC 2350 is a useful reference point because it describes what an incident response team should publish about its role and contact details. It does not stop ransomware. It does help organizations formalize who answers, who escalates, and who owns the evidence trail.
Last reviewed: April 7, 2026
Impact on users and organizations
The direct effect on defenders is limited. The BKA’s identification of REvil figures helps investigators tie older incidents to real people, aliases, and infrastructure. It does not remove active ransomware crews from the field.
That distinction matters for SMBs, enterprises, managed service providers, and remote-work teams. These groups still face phishing, stolen credentials, exposed remote access, and backup abuse. Copycats and successor crews can reuse the same basic playbook. Different name. Same pressure.
For law enforcement, the value is evidentiary. Named suspects can support cross-border requests, case linking, and future prosecutions. That is a long game. It may also help separate one REvil cluster from another criminal team that borrowed the brand.
For operations teams, the value is more immediate. Incident responders can map historical indicators against their own logs, such as VPN authentication spikes, unusual PowerShell activity, or backup deletion events. Security teams can also revisit older detections and ask a sharper question: did we miss a known pattern, or did the attackers change tactics?
What changes for defenders? Better attribution, stronger case records, and a cleaner threat history. What does not change? Patch discipline, offline backups, multifactor authentication, and tight remote-access controls. Those controls still decide whether a copied REvil-style intrusion becomes a contained incident or a full outage.
SMBs usually feel the pain fastest. They have less room for downtime and fewer analysts to chase weak signals. Enterprises have more tools, but also more exposed services and more identities to protect. MSPs sit in the middle, and that makes them attractive. One compromise can fan out across many clients.
In our assessment, the identification also has a quiet deterrent effect. Criminal operators know names can surface later, even after a group fragments. Still, defenders should not treat that as a shield. The operational risk remains live, especially where remote work depends on shared admin tools, third-party access, and cloud-connected backups.
A practical response is straightforward. Review privileged accounts. Check whether remote access logs show unusual geographies or impossible travel. Validate restore points. And keep contact paths clear for incident handling. RFC 2350 defines the basic information a computer security incident response team should publish, which helps during a real event. It is not a defense control. It is coordination hygiene.
Last reviewed: April 7, 2026
Mitigation and diligence
The naming of REvil leaders identified by BKA does not change the basics. Backups, identity controls, patch discipline, and logging still decide whether an intrusion becomes a business outage.
That starts with backups. Keep at least one offline or otherwise isolated copy. Test restores on a schedule, not after a crisis. A backup that cannot be restored is just storage.
Identity hardening comes next. Enforce multi-factor authentication on admin accounts, restrict legacy authentication, and review service accounts that never expire. Least privilege matters here. So does rapid removal of stale access.
Patching needs the same discipline. Prioritize internet-facing systems, remote management tools, VPN gateways, and file-transfer services. Attackers often move through a single exposed weakness, then pivot fast. NIST’s ransomware guidance and CISA’s recovery resources both stress that patching and exposure reduction are part of basic resilience, not optional extras.
Logging should be noisy enough to help, but focused enough to use. Centralize authentication logs, endpoint alerts, backup events, and privileged session records. Keep time synchronized across systems. Without that, incident timelines turn muddy very quickly.
- Network segmentation
- Separate user networks, server zones, backups, and administrative paths. If one segment is compromised, the attacker should not reach everything else without friction.
- Restore testing
- Practice full recovery, not just file-level checks. Test from clean media and confirm that critical applications come back in the right order.
- Incident-response contacts
- Publish and maintain a clear response profile aligned with RFC 2350. That document should name contact points, escalation paths, and service hours before an emergency starts.
- Detection tuning
- Watch for privilege escalation, mass file changes, disabled security tools, and unusual archive activity. Those signals often appear before encryption does.
Segmentation is often the difference between a contained event and a full shutdown. Separate backup systems from day-to-day admin traffic. Keep domain controllers, remote access tools, and file servers from sharing the same trust path unless there is a clear reason.
Incident-response readiness should be practical. Who approves isolation? Who can suspend accounts? Who speaks to legal, insurers, and law enforcement? Those answers need to exist before the pager goes off.
Attribution helps with context. It does not remove the need for basic controls. The data suggests disciplined hygiene still blocks more damage than any headline ever will.
Last reviewed: April 7, 2026
Readers often ask
Readers often ask: What is REvil in the BKA case?
REvil was a ransomware-as-a-service group, also known as Sodinokibi. The BKA says it identified two key figures tied to that operation. The group may be inactive, but its methods still matter.
Readers often ask: How does REvil ransomware-as-a-service work?
The model splits work between core operators and affiliates. Affiliates usually get access, deploy the ransomware payload, and share the payment. That setup makes attribution harder and slows disruption.
Readers often ask: Why does identifying leaders matter if the group is gone?
It can support prosecutions, sanctions, and intelligence sharing. It also helps connect aliases, infrastructure, and older campaigns. But it does not replace basic defenses like patching, backups, and monitoring.
Readers often ask: Is data safe just because REvil is defunct?
No. Defunct groups leave behind tools, tactics, and copycats. Stolen data can still circulate or be reused for extortion. Weak credentials, exposed services, and poor backups remain common entry points.
Readers often ask: What should IT teams verify after this announcement?
Check offline or immutable backups first, then test restores. Review remote access, multifactor authentication, privileged accounts, and logging coverage. Also confirm incident-response contacts and evidence-preservation steps.
Readers often ask: How is REvil related to Sodinokibi?
They are the same ransomware family. Sodinokibi is the earlier name. REvil became the better-known label used in later reporting and investigations.
Last reviewed: April 7, 2026
